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Status of this Memo 
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1. Abstract 


This note describes the MD4 message digest algorithm. The algorithm 
takes as input an input message of arbitrary length and produces as 
output a 128-bit "fingerprint" or "message digest" of the input. It 
is conjectured that it is computationally infeasible to produce two 
messages having the same message digest, or to produce any message 
having a given prespecified target message digest. The MD4 algorithm 
is thus ideal for digital signature applications, where a large file 
must be "compressed" in a secure manner before being signed with the 
RSA public-key cryptosystem. 


The MD4 algorithm is designed to be quite fast on 32-bit machines. 

On a SUN Sparc station, MD4 runs at 1,450,000 bytes/second. On a DEC 
MicroVax II, MD4 runs at approximately 70,000 bytes/second. Ona 
20MHz 80286, MD4 runs at approximately 32,000 bytes/second. In 
addition, the MD4 algorithm does not require any large substitution 
tables; the algorithm can be coded quite compactly. 


The MD4 algorithm is being placed in the public domain for review and 
possible adoption as a standard. 
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(Note: The document supersedes an earlier draft. The algorithm 
described here is a slight modification of the one described in the 
draft.) 

2. Terminology and Notation 


In this note a "word" is a 32-bit quantity and a byte is an 8-bit 
quantity. A sequence of bits can be interpreted in a natural manner 
as a sequence of bytes, where each consecutive group of 8 bits is 
interpreted as a byte with the high-order (most significant) bit of 
each byte listed first. Similarly, a sequence of bytes can be 
interpreted as a sequence of 32-bit words, where each consecutive 
group of 4 bytes is interpreted as a word with the low-order (least 
significant) byte given first. 


Let x_i denote "x sub i". If the subscript is an expression, we 
surround it in braces, as in x (i+1). Similarly, we use ^ for 
superscripts (exponentiation), so that x*i denotes x to the i-th 
power. 


Let the symbol "+" denote addition of words (i.e., modulo- 2%32 
addition). Let X <<< s denote the 32-bit value obtained by circularly 
shifting (rotating) X left by s bit positions. Let not(X) denote the 
bit-wise complement of X, and let X v Y denote the bit-wise OR of X 
and Y. Let X xor Y denote the bit-wise XOR of X and Y, and let XY 
denote the bit-wise AND of X and Y. 


3. MD4 Algorithm Description 


We begin by supposing that we have a b-bit message as input, and that 
we wish to find its message digest. Here b is an arbitrary 
nonnegative integer; b may be zero, it need not be a multiple of 8, 
and it may be arbitrarily large. We imagine the bits of the message 
written down as follows: 


m_O ml1... m (b-l) 


The following five steps are performed to compute the message digest 
of the message. 


Step 1. Append padding bits 


The message is "padded" (extended) so that its length (in bits) 
is congruent to 448, modulo 512. That is, the message is 
extended so that it is just 64 bits shy of being a multiple of 
512 bits long. Padding is always performed, even if the length 
of the message is already congruent to 448, modulo 512 (in 
which case 512 bits of padding are added). 


Rivest [Page 2] 


RFC 1186 


MD4 Message Digest Algorithm October 1990 


Padding is performed as follows: a single "1" bit is appended 
to the message, and then enough zero bits are appended so that 
the length in bits of the padded message becomes congruent to 
448, modulo 512. 


Step 2. Append length 


A 64-bit representation of b (the length of the message before 
the padding bits were added) is appended to the result of the 
previous step. In the unlikely event that b is greater than 
2°64, then only the low-order 64 bits of b are used. (These 
bits are appended as two 32-bit words and appended low-order 
word first in accordance with the previous conventions.) 


At this point the resulting message (after padding with bits 
and with b) has a length that is an exact multiple of 512 bits. 
Equivalently, this message has a length that is an exact 
multiple of 16 (32-bit) words. Let M[0 ... N-1] denote the 
words of the resulting message, where N is a multiple of 16. 


Step 3. Initialize MD buffer 


A 4-word buffer (A,B,C,D) is used to compute the message 
digest. Here each of A,B,C,D are 32-bit registers. These 
registers are initialized to the following values in 
hexadecimal, low-order bytes first): 


word A: 01 23 45 67 
word B: 89 ab cd ef 
word C: fe dc ba 98 
word D: 76 54 32 10 


Step 4. Process message in 16-word blocks 


Rivest 


We first define three auxiliary functions that each take 
as input three 32-bit words and produce as output one 
32-bit word. 


£(X,Y,Z) = XY v not(X)Z 
g(X,Y,Z) = XY v XZ v YZ 
h(X,Y,Z) = X xor Y xor Z 


In each bit position f acts as a conditional: if x then y else 
Did (The function f could have been defined using + instead of 
v since XY and not(X)Z will never have 1’s in the same bit 

position.) In each bit position g acts as a majority function: 
if at least two of x, y, z are on, then g has a one in that bit 
position, else g has a zero. It is interesting to note that if 
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the bits of X, Y, 
bit of £(X,Y,2Z) 
each bit of g(X,Y,Z) 
function h is the bit-wise 
properties similar to those 


Do the following: 
= 0 to N/16-1 do 
For j 0 to 15 do: 

Set X[j] to M[i*1 
end /* of loop on j 


For i 


Save A as AA, B as BB, C as CC, 


[Round 1] 

Let [A B C D i s] 
A = (A + £( 

Do the following 
[A BCD 0 
[DABC 1 
[IC DAB 2 
[IBCDA3 
[A BCD 4 
IDA BC 5 
[C DAB 6 
[B CDA7 
[A BCD 8 
[D ABC 9 
[C DAB 10 
[B C DA 11 
[A B C D 12 
[D ABC 13 
[C DA B 14 
[B C DA 15 

[Round 2] 

Let [A B C D i s] 
A = (A+ gl 

(The value 5A..99 

constant, 

first. This const 


root of 2. 
is 013240474631. 
Programming, 
Algorithms), Seco 
Addison-Wesley. 
Do the following 
[A BCD 0 


Volume 2 


"xor" or "parity" 
of f and g. 


/* copy block i into X */ 
6+j]. 

x/ 

and D as DD. 


denote the operation 
B,C,D) + X[i]) <<< s 
16 operations: 


denote the operation 
B,C,D) + X[i] + 5A827999) 
is a hexadecimal 32-bit 


written with the high-order digit 


ant represents the sguare 


See Knuth, The Art of 
(Seminumerical 
nd Edition (1981), 
Table 2, page 660.) 

16 operations: 

3] 


October 1990 


and Z are independent and unbiased, the each 
will be independent and unbiased, 
will be independent and unbiased. 
function; 


and similarly 


The 
it has 


/* process each 16-word block */ 


<<< S 


The octal value of this constant 
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[D ABC 4 5] 
[CDAB 8 9] 
[B C D A 12 13] 
[A BE DL- 3 
[D ABC 5 5] 
[C DAB 9 9] 
[B CD: A: 13:13) 
[A BCD 2 3] 
[D ABC 6 5] 
[C D A B 10 9] 
[B C D A 14 13] 
[A BCD 3 3] 
[IDABC 7 5] 
[C DA B 11 9] 
[B C D A 15 13] 
[Round 3] 
Let [A B C D i s] denote the operation 
A = (A + h(B,C,D) + X[i] + 6ED9EBA1) <<< s 


(The value 6E..Al is a hexadecimal 32-bit 
constant, written with the high-order digit 
first. This constant represents the square 
root of 3. The octal value of this constant 
is 015666365641. See Knuth, The Art of 
Programming, Volume 2 (Seminumerical 
Algorithms), Second Edition (1981), 
Addison-Wesley. Table 2, page 660.) 

Do the following 16 operations: 


[A BCD 0 3] 
[ID ABC 8 9] 
[C DAB 4 11] 
[B C D A 12 15] 
[A BCD 2 3] 
[D A B C 10 9] 
[C DAB 6 11] 
[B C D A 14 15] 
[A BCD 1 3] 
[ID ABC 9 9] 
[CDAB5 11] 
[B C D A 13 15] 
[A BCD 3 3] 
[D A B C 11 9] 
[CDAB7 11] 
[B C D A 15 15] 


Then perform the following additions: 
A =A + AA 
B = B+ BB 
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C =C + CC 

D = D + DD 
(That is, each of the four registers is incremented by 
the value it had before this block was started.) 


end /* of loop on i */ 


Step 5. Output 


The message digest produced as output is A,B,C,D. That is, we 
begin with the low-order byte of A, and end with the high-order 
byte of D. 


This completes the description of MD4. A reference 
implementation in C is given in the Appendix. 


4. Extensions 
If more than 128 bits of output are required, then the following 


procedure is recommended to obtain a 256-bit output. (There is no 
provision made for obtaining more than 256 bits.) 


Two copies of MD4 are run in parallel over the input. The first copy 
is standard as described above. The second copy is modified as 
follows. 


The initial state of the second copy is: 


word A: 00 11 22 33 
word B: 44 55 66 77 
word C: 88 99 aa bb 
word D: cc dd ee ff 


The magic constants in rounds 2 and 3 for the second copy of MD4 are 
changed from sqrt(2) and sqrt(3) to cuberoot(2) and cuberoot (3): 


Octal Hex 
Round 2 constant 012050505746 50a28be6 
Round 3 constant 013423350444 5c4dd124 


Finally, after every 16-word block is processed (including the last 
block), the values of the A registers in the two copies are 
exchanged. 


The final message digest is obtaining by appending the result of the 
second copy of MD4 to the end of the result of the first copy of MD4. 
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5. Summary 


The MD4 message digest algorithm is simple to implement, and provides 
a "fingerprint" or message digest of a message of arbitrary length. 


It is conjectured that the difficulty of coming up with two messages 
having the same message digest is on the order of 2764 operations, 
and that the difficulty of coming up with any message having a given 
message digest is on the order of 2128 operations. The MD4 
algorithm has been carefully scrutinized for weaknesses. It is, 
however, a relatively new algorithm and further security analysis is 
of course justified, as is the case with any new proposal of this 
sort. The level of security provided by MD4 should be sufficient for 
implementing very high security hybrid digital signature schemes 
based on MD4 and the RSA public-key cryptosystem. 
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APPENDIX - Reference Implementation 


This appendix contains the following files: 


md4.h -- header file for using MD4 implementation 

md4.c -- the source code for MD4 routines 

md4driver.c -- a sample "user" routine 

session -- sample results of running md4driver 
/* 
kk KA AZAZXZA AZ AZ A A AZ Z A A XZ ZA X XZ AA X X A X XZ AA X ZA X XZ AA X X A AZ XZ A A Z ZA AZ Z AXA X Z A Z XZ AA Z ZA ZK ZÁ KK EA 
** md4.h -- Header file for implementation of es 
** MD4 Message Digest Algorithm as 
** Updated: 2/13/90 by Ronald L. Rivest aes 
** (C) 1990 RSA Data Security, Inc. YA 


KK KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK 


kaa 


/* MDstruct is the data structure for a message digest computation. 
5 
typedef struct | 


unsigned int buffer[4]; /* Holds 4-word result of MD computation */ 
unsigned char count[8]; /* Number of bits processed so far */ 
unsigned int done; /* Nonzero means MD computation finished */ 


} MDstruct, *MDptr; 


/* MDbegin (MD) 
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** Input: MD -- an MDptr 

** Initialize the MDstruct prepatory to doing a message digest 
** computation. 

«ff 


extern void MDbegin(); 


/* MDupdate (MD, X, count) 


** Input: MD -- an MDptr 
YA X -- a pointer to an array of unsigned characters. 
x% count -- the number of bits of X to use (an unsigned int). 


** Updates MD using the first "count" bits of X. 

** The array pointed to by X is not modified. 

** If count is not a multiple of 8, MDupdate uses high bits of 

** last byte. 

** This is the basic input routine for a user. 

** The routine terminates the MD computation when count < 512, so 
** every MD computation should end with one call to MDupdate with a 
** count less than 512. Zero is OK for a count. 

s 


extern void MDupdate(); 


/* MDprint (MD) 

** Input: MD -- an MDptr 

** Prints message digest buffer MD as 32 hexadecimal digits. 

** Order is from low-order byte of buffer[0] to high-order byte 
** of buffer[3]. 

** Each byte is printed with high-order hexadecimal digit first. 
*/ 


extern void MDprint(); 


/* 
** End of md4.h 


KKKKKKKKKKKKKKKKKKKKKKKKKKKK (cut) KOK KKK KK KK KK KK KK KKK / 


/* 
kk KAAZZX ZA A AZ A A AZ Z A A X A A AX XZ AA XX AX XZ AA X ZA AZ XZ AA Z XZ A AZ XZ AA XZ ZA AZ XZ AA Z ZA Z Z ZA ZZ A ZÁ A KH EA 
** md4.c -- Implementation of MD4 Message Digest Algorithm o 
** Updated: 2/16/90 by Ronald L. Rivest kk 
** (C) 1990 RSA Data Security, Inc. KK 


kk KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK 


*/ 


/* 
** To use MD4: 

k -- Include md4.h in your program 

Ka -- Declare an MDstruct MD to hold the state of the digest 
EX computation. 

EX -- Initialize MD using MDbegin (&MD) 
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—- For each full block (64 bytes) X you wish to process, call 
MDupdate (&MD, X, 512) 
(512 is the number of bits in a full block.) 
-- For the last block (less than 64 bytes) you wish to process, 
MDupdate (&MD, X,n) 
where n is the number of bits in the partial block. A partial 
block terminates the computation, so every MD computation 
should terminate by processing a partial block, even if it 


has n = 0. 
-- The message digest is available in MD.buffer[0] 
MD.buffer[3]. (Least-significant byte of each word 


should be output first.) 
-- You can print out the digest using MDprint (&MD) 


Implementation notes: 

This implementation assumes that ints are 32-bit quantities. 

If the machine stores the least-significant byte of an int in the 
least-addressed byte (e.g., VAX and 8086), then LOWBYTEFIRST 
should be set to TRUE. Otherwise (e.g., SUNS), LOWBYTEFIRST 
should be set to FALSE. Note that on machines with LOWBYTEFIRST 
FALSE the routine MDupdate modifies has a side-effect on its input 
array (the order of bytes in each word are reversed). If this is 
undesired a call to MDreverse(X) can reverse the bytes of X back 
into order after each call to MDupdate. 


#define TRUE 1 
#define FALSE 0 
#define LOWBYTEFIRST FALSE 


/* 
* ff 


Compile-time includes 


#include <stdio.h> 
#include "md4.h" 


/* Compile-time declarations of MD4 "magic constants". 
x. 
#define I0 0x67452301 /* Initial values for MD buffer */ 


#define Il Oxefcdab89 
#define I2  0x98badcfe 
#define I3 0x10325476 


#define C2 013240474631 /* round 2 constant = sqrt(2) in octal */ 
#define C3 015666365641 /* round 3 constant = sqrt(3) in octal */ 
/* C2 and C3 are from Knuth, The Art of Programming, Volume 2 


xk 
xk 


*/ 


(Seminumerical Algorithms), Second Edition (1981), Addison-Wesley. 
Table 2, page 660. 
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+define fsl 3 /* round 1 shift amounts */ 
+define fs2 7 
+define fs3 11 
+define fs4 19 
#define gsl 3 /* round 2 shift amounts */ 
#define gs2 5 
#define gs3 9 
#define gs4 13 
#define hsl 3 /* round 3 shift amounts */ 
#define hs2 9 
#define hs3 11 
#define hs4 15 


/* Compile-time macro declarations for MD4. 
operator uses the variable 


** Note: 
** Tt assumes tmp is declared as unsigned int, 


The 


" rot " 


" tmp W R 
so that the >> 


** operator will shift in zeros rather than extending the sign bit. 


*/ 

#define f(X,Y, ((X&Y) | ((7X)&Z)) 

#define g(X,Y, ( (X&Y) | (Kez) | (Y&Z)) 

#define h(X,Y, (X^Y^Z) 

#define rot (X, (tmp=X, (tmp<<S) (tmp>>(32-S))) 
+define ff(A,B i,s) A = rot((A + £(B,C,D) + X[i]),s) 
#define gg(A,B i,s) A = rot((A + ae C,D) + X[i] + C2),s) 
#define hh(A,B i,s) A = eG h(B,C,D) + X[i] + C3),s) 


/* MDprint (MDp) 


** Print message digest buffer MDp as 32 hexadecimal digits. 
** Order is from low-order byte of buffer[0] to high-order byte of 
** buffer[3]. 
** Each byte is printed with high-order hexadecimal digit first. 
** This is a user-callable routine. 
*/ 
void 
MDprint (MDp) 
MDptr MDp; 
{ int i,j; 
for (i=0ji<4;i++) 
for (j=0;j<32; j= 3+8) 

printf ("%S02x", (MDp->buffer[i]>>j) 4 OxFF); 

} 


/* MDbegin (MDp) 

** Initialize message digest buffer MDp. 
** This is a user-callable routine. 

*/ 

void 

MDbegin (MDp) 


Rivest 


[Page 10] 


RFC 1186 MD4 Message Digest Algorithm October 1990 


MDptr MDp; 
{ int i; 
MDp->buffer[0] = IO; 
MDp->buffer[1] = I1; 
MDp->buffer[2] = 12; 
MDp->buffer[3] = 13; 
for (i=0;i<8;i++) MDp->count [i] = 0; 
MDp->done = 0; 
} 
/* MDreverse (X) 


** Reverse the byte-ordering of every int in X. 
** Assumes X is an array of 16 ints. 
** The macro revx reverses the byte-ordering of the next word of X. 
rat 
#define revx { t = (*X << 16) | (*X >> 16); \ 
*X++ = ((t & OxFF00FF00) >> 8) | ((t & OxOOFFOOFF) << 8); } 

MDreverse (X) 
unsigned int *X; 
1 register unsigned int t; 

revx; revX; revX; revx; revX; revx; revX; revx; 

revx; revx; revx; revx; revx; revx; revx; revx; 


} 


/* MDblock (MDp, X) 
** Update message digest buffer MDp->buffer using 16-word data block X. 
** Assumes all 16 words of X are full of data. 
** Does not update MDp->count. 
** This routine is not user-callable. 
x/ 
static void 
MDblock (MDp, X) 
MDptr MDp; 
unsigned int *X; 
{ 
register unsigned int tmp, A, B, C, D; 
#if LOWBYTEFIRST == FALSE 
MDreverse (X); 
#endif 
A = MDp->buffer[0]; 
B = MDp->buffer[1]; 
C MDp->buffer[2]; 
D = MDp->buffer[3]; 
/* Update the message digest buffer */ 


ff(A , B, C, D, 0., fs1); /* Round 1 */ 
PE (Dje Ay. "Beye Gog Jl) cp ESD? 
FE (ED up Ao yg (Bog Z ESB) 5 
ff (B?. 3 "Cz" Dion Ag 3. 7g BSL) 
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} 
/* 


** 
** 
** 
** 
** 
** 
** 
** 
** 
** 
** 
** 
AY. 
vo 
MD 
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MDupdate (MDp, X, count) 

Input: MDp -- an MDptr 
X -- a pointer to an array of unsigned characters. 
count -- the number of bits of X to use. 


(if not a multiple of 8, uses high bits of last byte.) 
Update MDp using the number of bits of X given by count. 
This is the basic input routine for an MD4 user. 
The routine completes the MD computation when count < 512, so 
every MD computation should end with one call to MDupdate with a 
count less than 512. A call with count 0 will be ignored if the 
MD has already been terminated (done != 0), so an extra call with 
count 0 can be given as a "courtesy close" to force termination 
if desired. 


id 
update (MDp, X, count) 


MDptr MDp; 
unsigned char *X; 
unsigned int count; 


{ 


unsigned int i, tmp, bit, byte, mask; 
unsigned char XX[64]; 
unsigned char *p; 
/* return with no error if this is a courtesy close with count 
** zero and MDp->done is true. 
*/ 
if (count == 0 && MDp->done) return; 
/* check to see if MD is already done and report error */ 
if (MDp->done) 
{ printf ("XnError: MDupdate MD already done."); return; } 
/* Add count to MDp->count */ 
tmp = count; 
p = MDp->count; 
while (tmp) 
( tmp += *p; 
*p++ = tmp; 
tmp = tmp >> 8; 
} 
/* Process data */ 
if (count == 512) 
{ /* Full block of data to handle */ 
MDblock (MDp, (unsigned int *)X); 
} 
else if (count > 512) /* Check for count too large */ 
{ printf ("\nError: MDupdate called with illegal count value %d." 
„count); 
return; 
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} 
else /* partial block -- must be last block so finish up */ 
{ /* Find out how many bytes and residual bits there are */ 
byte = count >> 3; 
bit = count & 7; 
/* Copy X into XX since we need to modify it */ 
for (i=0;i<=byte; i++) XX[i] = X[il; 
for (i=byte+1;i<64;i++) XX[i] = 0; 
/* Add padding '1' bit and low-order zeros in last byte */ 
mask = 1 << (7 - bit); 
XX[byte] = (XX[byte] | mask) 4 ~( mask - 1); 
/* If room for bit count, finish up with this block */ 
if (byte <= 55) 
{ for (i=0;i<8;i++) XX[56+i] = MDp->count [i]; 
MDblock (MDp, (unsigned int *) XX); 
} 
else /* need to do two blocks to finish up */ 
1 MDblock (MDp, (unsigned int *) XX); 
for (i=0;i<56;i++) XX[i] = 0; 
for (i=0;i<8;i++) XX[56+i] = MDp->count [i]; 
MDblock (MDp, (unsigned int *)XX); 
} 
/* Set flag saying we’re done with MD computation */ 
MDp->done = 1; 
} 
End of md4.c 


KKKKKKKKKKKKKKKKKKKKKKKKKKKK (cut) KOR KKK KK KK KK OK KK OK KK KK / 


/* 
xk 
xk 
xk 
xk 
kk 
xk 


*/ 


KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK 


md4driver.c -- sample routines to test a 
MD4 message digest algorithm. ae 
Updated: 2/16/90 by Ronald L. Rivest * 
(C) 1990 RSA Data Security, Inc. Wa 


KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK 


#include <stdio.h> 
#include "md4.h" 


/* MDtimetrial () 

** A time trial routine, to measure the speed of MD4. 
** Measures speed for 1M blocks = 64M bytes. 

* 

MDtimetrial () 
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1 unsigned int X[16]; 
MDstruct MD; 
int i; 
double t; 
for (i=0;i<16;i++) X[i] = 0x01234567 + i; 
printf 
("MD4 time trial. Processing 1 million 64-character blocks...\n"); 
clock (); 
MDbegin (&MD) ; 
for (i=0;1<1000000;i++) MDupdate (&MD,X,512); 
MDupdate (&MD,X, 0); 


t = (double) clock(); /* in microseconds */ 
MDprint (&MD); printf(" is digest of 64M byte test input.\n"); 
printf ("Seconds to process test input: Sgin,t/le6); 


printf ("Characters processed per second: %ld.\n, (int) (64e12/t)); 
} 


/* MDstring(s) 
** Computes the message digest for string s. 
** Prints out message digest, a space, the string (in guotes) and a 
** carriage return. 
x/ 
MDstring(s) 
unsigned char *s; 
{ unsigned int i, len = strlen(s); 
MDstruct MD; 
MDbegin (&MD) ; 
for (i=0;i+64<=len;i=i+64) MDupdate (6MD,s+i,512); 
MDupdate (&MD, sti, (len-i)*8); 
MDprint (&MD); 
printf Ves \n SI 
} 


/* MDfile (filename) 
** Computes the message digest for a specified file. 
** Prints out message digest, a space, the file name, and a 
** carriage return. 
x/ 
MDfile (filename) 
char *filename; 
( FILE *f = fopen(filename, "rb"); 
unsigned char X[64]; 
MDstruct MD; 
int b; 
if (f == NULL) 
{ printf("%s can’t be opened.\n",filename); return; } 
MDbegin (&MD) ; 
while ((b=fread(X,1,64,f))!=0) MDupdate(&MD,X,b*8); 
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MDupdate (&MD,X, 0); 
MDprint (&MD); 

printf (" %s\n", filename); 
fclose (f); 


/* MDfilter() 
** Writes the message digest of the data from stdin onto stdout, 
** followed by a carriage return. 
K 
MDfilter () 
{ unsigned char X[64]; 
MDstruct MD; 


int b; 
MDbegin (&MD) ; 
while ((b=fread(X,1,64,stdin) ) !=0) MDupdate (&MD, X,b*8); 


MDupdate (&MD,X, 0); 
MDprint (&MD); 
printf ("n"); 

} 


/* MDtestsuite() 

** Run a standard suite of test data. 
x/ 

MDtestsuite() 


{ 
printf("MD4 test suite results:\n"); 


} 


main (argc, argv) 
int argc; 
char *argv[]; 


1990 


MDstring(""); 

MDstring("a"); 

MDstring ("abc"); 

MDstring("message digest"); 

MDstring ("abcdefghijklmnopgrstuvwxyz"); 

MDstring 
("ABCDEFGHIJKLMNOPORSTUVWXYZabcdefghijklmnopgrstuvwxyz0123456789"); 
MDfile("foo"); /* Contents of file foo are "abc" */ 


{ int i; 

/* For each command line argument in turn: 
** filename -- prints message digest and name of file 
** —sstring -- prints message digest and contents of string 
k -- prints time trial statistics for 64M bytes 
** -x -- execute a standard suite of test data 
** (no args) -—- writes messages digest of stdin onto stdout 
x 
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if (argc==1) MDfilter(); 
else 
for (i=1;i<argc;i+t) 
if (argv[i] [0]==’-’ && argv[i] [1]==’s’) MDstring(argv[i]+2); 


else if (strcmp (argv[i],"-t") ==0) MDtimetrial(); 
else if (strcmp (argv[i],"-x") ==0) MDtestsuite(); 
else MDfile(argv[i]); 


} 
/* 


** end of md4driver.c 
KKEKKKKKKKKKKKK KK KKK KKK k 4 (cut) KOK KKK KK KK KK OK KK OK KK KK KK / 


>ls 

total 66 

-rw-rw-r-- 1 rivest 3 Feb 14 17:40 abcfile 
-rwxrwxr-x 1 rivest 24576 Feb 17 12:28 md4 
-rw-rw-r-- 1 rivest 9347 Feb 17 00:37 md4.c 
-rw-rw-r-- 1 rivest 25150 Feb 17 12:25 md4.doc 
-rw-rw-r-- 1 rivest 1844 Feb 16 21:21 md4.h 
-rw-rw-r-- 1 rivest 3497 Feb 17 12:27 md4driver.c 
> 

>cc -o md4 -04 md4.c md4driver.c 

md4.c: 

md4driver.c: 

Linking: 

> 

>md4 -x 


MD4 test suite results: 

31d6cfe0dl6ae931b73c59d7e0c089c0 "" 

bde52cb31de33e46245e05fbdbd6fb24 "a" 

a448017aaf21d8525fc10ae87aa6729d "abc" 

d9130a8164549fe818874806e1c7014b "message digest" 

d79e1c308aa5bbbcdeea8ed63df412da9 "abcdefghijklmnopgrstuvwxyz" 

043f8582f241db351ce627e153e7f0e4 
"ABCDEFGHIJKLMNOPORSTUVWXYZabcdefghijklmnopgrstuvwxyz0123456789" 

a448017aaf21d8525fc10ae87aa6729d abcfile 

> 

>md4 -sabc -shi 

a448017aaf21d8525fc10ae87aa6729d "abc" 

cfaee2512bd25eb033236f0cd054e308 "hi" 

> 

>md4 * 

a448017aaf21d8525fc10ae87aa6729d abcfile 
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d316£994da0e951c£9502928al1£73300 
379adb3 9YeadaNdfdbbdfdcd0d9def8c4 
9a3f£73327c65954198b1f45a3aa12665 
37fe165ac177b461ff78b86d10e4ff33 
Tdcba2e2dc4d8f1408d08beb17dabb2a 
08790161bfddc6f5788b4353875cb1c3 
1£84a7£690b0545d2d0480d5d3c26eea 
> 

>cat abcfile | md4 
a448017aaf21d8525fc10ae87aa6729d 
> 

>md4 -t 


MD4 time trial. Processing 1 million 64-character blocks... 


Digest Algorithm 


md4 

md4.c 
md4.doc 
md4.h 

md4.o 
md4driver.c 
md4driver.o 


October 1990 


6325bf77e5891c7/c0d8104b64cc6e9ef is digest of 64M byte test input. 


Seconds to process test input: 
Characters processed per second: 


AAA end of sample session 


44.0982 
1451305. 


Note: A version of this document including the C source code is 


available for FIP from THEORY.LSC.MIT.EDU in the file 


Security Considerations 


"md4.doc". 


The level of security discussed in this memo by MD4 is considered to 
be sufficient for implementing very high security hybrid digital 
signature schemes based on MD4 and the RSA public-key cryptosystem. 


Author's Address 


Ronald L. Rivest 


Massachusetts Institute of Technology 


Laboratory for Computer Science 


NE43-324 
545 Technology Square 
Cambridge, MA 02139-1986 


Phone: (617) 253-5880 


EMail: rivest@theory.lcs.mit.edu 


Rivest 


[Page 18] 


